Saturday, May 8, 2010

Computer Forensic Experts

The spread of crime using computers was inevitable, even in the sleepy towns of Bryan|College Station, Texas. The ease with which people can access literally billion of documents and images over the internet has made computer "crimes" a hot area in law enforcement in recent years. Our question is how to defend against such charges by the government? One answer is using computer forensics, that is, utilizing a defense expert to preserve, analyze, and produce data from computer media storage.

When conducting an analysis in computer forensics, the “expert” uses tools (i.e., software) to examine and extract information pertaining to the alleged crime. However, a problem area is whether one can be considered an expert solely based on their ability to use a tool or software package to analyze the computer data, without the ability to clearly define how the tool works or reviewing the source code. The majority of the tools and software used by computer forensics experts is proprietary and copyrighted. This eliminates the ability to access the source code. Currently, this inability of the expert to test the code and understand how it works has not hindered the admissibility of an expert’s testimony. In Texas, criminal courts have found that an expert does not need to know the code of the software package nor the background processes. (see Williford v. Texas 127 S.W.3d 309) Questions arise concerning whether an expert who cannot attest to area three of Daubert qualifies as an expert.

The third criteria of Daubert states specific factors such as peer review, error rates, and acceptability in the relevant scientific community are important elements to consider when determining the reliability of a scientific test, including proprietary software programs used to analyze a computer hard drive. However, it's difficult to meet the third criteria due to a lack of error rates for most of the software used by the forensic experts. Additionally, there are no standards in the field or peer reviews of methods. The courts have found that an inanimate object (e.g. a software package) cannot be considered an expert. This does not mean the object (or results from that object) cannot be used for scientific testimony. The individual using the software package simply needs to testify regarding the procedures used.

A possible argument to be made in criminal court regarding the third criteria of Daubert is that the computer forensic community has accepted certain industry standard tools such as EnCase, a common program used by experts to analyze computers. The question, then, becomes whether it's justified to say that the "relevant scientific community" has accepted certain software packages? Currently, experts must qualify their educational background, which includes courses taken by corporateor federal agencies on how to operate software packages (like EnCase).

1 comment:

I just read through the entire article of yours and it was quite good. This is a great article thanks for sharing this informative information. I will visit your blog regularly for some latest post. Great post!